Bug #7203
openImprove D1NodeService.isAuthorized() performance
0%
Description
We're seeing poor performance in calls to D1NodeService.isAuthorized()
on https://arcticdata.io. When the system Metacat is under light load (< 10 requests per second), calls to isAuthorized()
are taking up to 35 seconds to return either an HTTP 200
response or a HTTP 403
exception.
Change isAuthorized()
to prioritize user-based authorization first, and then CN or MN authorization last. This should increase performance for end users, whereas MN to MN replication calls and CN-administrative calls will be slightly less prioritized.
Note that calls to userHasPermission()
involve token verification using the PortalCertificateManager
and the TokenGenerator
. These calls may be repeatedly making a call to the CN to get the SSL certificate for verification if it is not cached. If this change doesn't significantly improve performance, look into refactoring those classes in d1_portal
to cache and use the certificate, unless there is a verification exception, in which case we make the call to fetchCertificate()
again, re-cache it, and attempt to re-verify the token. If it still fails, throw NotAuthorized
.
Updated by Chris Jones over 7 years ago
I've re-ordered the authorization in isAuthorized()
. Needs testing, and merging into the 2.8.x branch.
Updated by Chris Jones over 7 years ago
- Subject changed from Improve D!NodeService.isAuthorized() performance to Improve D1NodeService.isAuthorized() performance